There's that scene in Ocean's Eleven (2001) where the criminals (or good guys, depending on your take) need to break into an underground vault monitored with security cameras, so they patch in a static video loop. The guard, at his station, sees nothing unusual while the thieves enter the vault and walk away with millions of dollars. In reality, that's hard to pull off. Or is it? A new paper suggests that hacking into IP-enabled security cameras, like those used by governments and large corporations, might be as easy as typing in a cross-site scripting attack using any Internet browser anywhere in the world. And once you remotely own the camera, why not use the security camera as a stepping stone to hack the rest of the network?

The Axis 2100
This week I spoke with Adrian Pastor of ProCheckup, a London-based security company. He recently published a paper on GNUCitizen titled "Owning Big Brother (in PDF)," in which he discusses in great detail how he was able to own an Axis 2100 camera in his testing lab. Although the 2100 model is no longer in production, Pastor said, it "is still in use by governments, corporations. It's everywhere." The camera is basically "your typical embedded device running in Linux, a basic box with a Web server called BOA."

	We thought it would be really cool if you could replace the video stream.

The Axis 2100 camera "is used for security reasons, for surveillance, and we thought it would be really cool if you could replace the video stream." The process Pastor says is actually very simple. "The video replacement is just some HTML. The only thing that gets a bit more fancy when it gets to exploiting it, it's bit of a combination of JavaScript and the HTML that's injected. But it's just a very simple payload that's injected through the logs page. That's all it is." You can see a video of such an attack here.

Cross-site scripting
I've written before about the dangers of cross-site scripting (XSS) (here, here, and here). Basically, criminals find a vulnerable Web page and then inject a snippet of JavaScript into the URL. The javascript then becomes persistent on the Web server; that means it remains a part of the page so that when someone else visits the page, they, too, see the code you've inserted. Unless the Web admin is aware of the XSS change, the page will continue to host the script, which may include malware or calls to third-party sites.

The attacks in the paper use both cross-site scripting and cross-site request forgeries, where the browser asks the Web server to send out third-party requests, which means both the desktop client and the Web server are involved. "It's both, because we had [in the paper] an XSS on the error page, which, I believe, is something related to the Web server, and then all the other persistent XSS to the server side scripts not filtering the input correctly, so it's a combination of the Web site server and the application on top of the server in the camera."

Worked with vendor
Pastor first reported his findings to Axis and it agreed to make some changes, but the cameras, even the current models in production, all remain vulnerable to a lot of persistent cross-site scripting and request forgeries. "To be more specific, what they tell me is that they're not going to fix the request forgeries because it takes too much to change that. It's not feasible. And I respect that. At least [Axis] tried to fix many of the issues, they actually bothered to fix a product that has been discontinued…We already have a new camera in the research lab at [ProCheckup]. It's just sitting there. That's the next thing I'm going to poke with. I just want to go for a model that is supported just to prove that it's going to be the same story. So, we'll see."

Pastor said many IT departments today don't yet take embedded devices like printers or surveillance cameras into consideration when it comes to security.

Even on the recently patched but discontinued Axis 2100 "there are other things that you can still do," Pastor said. In the white paper, Pastor shows how to steal the password file. "These are old-school password files, which means you wouldn't need a shadow file to collect the password; it's just the password file, get the hash, use your favorite password cracker, and then you get a password. Additionally, it's also possible to add a new admin account."

Open networks
The problem isn't just within the camera; it's the way IT administrators are deploying the cameras on the network. Pastor clarified, "To be fair, this is a very widely spread problem nowadays--especially when it comes to network devices, this is a very common problem." In the paper, he talks about how IT departments are very concerned about Web applications and place them in DMZ areas of the network, but for devices like surveillance cameras, they have almost a direct connection to the internal network.

Pastor said many IT departments today don't yet take embedded devices like printers or surveillance cameras into consideration when it comes to security. "When you see a security plan, or a security policy, they never include them. So far they're only thinking about your typical application server Web server, internal facing systems, but, come on, the cameras are Internet-facing, too; they have Web servers, you can upload tools…"

Stepping stone to larger attacks
With his security camera attack, Pastor says, "we can inject anything on the logs page, we can basically make any action that an administrator can do. Anything. Any feature that is there by design you can configure in the background. That's it." Which leads us to phase 2: owning the network beyond the camera.

"I am in love with this concept. This is what I want to research further, to get on the second stage of exploration, which is not compromising the camera but actually getting inside the network."

Others are reporting this problem, as well
"Don't take my word on this," Pastor said. He noted that Seth Fogie, another security researcher, has published other research on another Axis camera last month. Fogie blogged about vulnerabilities within the more expensive Axis 207W camera. Pastor said that he believes the model Fogie researched comes with NetCat, a utility that allows you to map an internal network. That means "you wouldn't have to port NetCat to make it work on the camera, it's already there." NetCat is used by both administrators and criminal hackers.

Pastor said IT departments aren't worried about embedded devices--yet. "Probably it's because they don't seriously consider the fact that you could use [these devices] for a set-in-stone attack or for bouncing connections and proceeding further into the network." But Pastor is concerned. "It's a very interesting topic and I really want people to poke with this. The post-exploitation, the post-compromised place, this is where I want to go next. This is what I'd like to do." And we'll look forward to seeing his follow-up research.

You can hear more of my interview with Adrian Pastor in this week's Security Bites podcast.

Are security cameras even necessary? Does anyone use them for real-time monitoring? Talk back to me.